Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Monthly Archives: December 2014

Prominent North Korean websites were back online Tuesday after an hours-long shutdown that led to speculation by some researchers and web watchers that the country’s Internet connections could be under cyberattack.

South Korean officials told the Associated Press that Internet access to the North’s official Korean Central News Agency and the Rodong Sinmun newspaper were working normally Tuesday after being inaccessible earlier. Those sites are the main channels for official North Korea news, with servers located abroad.

The outage came less than a week after the U.S. vowed an unspecified response to a massive hacking attack against Sony Pictures Entertainment over the release of the comedy film “The Interview.” The plot of the comedy centers on the assassination of North Korean leader Kim Jong Un, leading to widespread speculation that the country was responsible for the attack. Late last week, the FBI publicly blamed North Korea in the incident, though Pyongyang has denied involvement.

The White House and the State Department on Monday declined to say whether the U.S. government had any role in North Korea’s Internet problems.

“We have no new information to share regarding North Korea today,” White House National Security Council spokesperson Bernadette Meehan told Fox News. “If in fact North Korea’s Internet has gone down, we’d refer you to that government for comment.”

North Korean diplomat Kim Song, asked Monday about the Internet attack, told The Associated Press: “I have no information.”

North Korea is one of the least connected countries in the world. Few North Koreans have access to computers, and even those who do are typically able to connect only to a domestic intranet that works with its own browsers, search engine and email programs, according to South Korea’s Unification Ministry. Though North Korea is equipped for broadband Internet, only a small, approved segment of the population has any access to the World Wide Web. More than a million people, however, are now using mobile phones in North Korea. The network covers most major cities but users cannot call outside the country or receive calls from outside.

Doug Madory, the director of Internet analysis at New Hampshire-based Dyn Research, a company that studies Internet connectivity, said the problems were discovered over the weekend and grew progressively worse to the point that “North Korea’s totally down.”

“They have left the global Internet and they are gone until they come back,” he said.

He said one benign explanation for the problem was that a router may have suffered a software glitch, though a cyberattack involving North Korea’s Internet service was also a possibility.

Routing instabilities are not uncommon, but this particular outage had gone on for hours and was getting worse instead of better, Madory said.

Another Internet technology service, Arbor Networks, which protects companies against hacker attacks, said its monitoring detected denial-of-service attacks aimed at North Korea’s infrastructure starting Saturday and persisting Monday. Such attacks transmit so much spurious data traffic to Internet equipment that it becomes overwhelmed, until the attacks stop or the spurious traffic can be filtered and discarded to allow normal connections to resume.

President Obama said Friday that the U.S. government expected to respond “proportionately” to the hacking of Sony, which he described as an expensive act of “cyber vandalism” that he blamed on North Korea. Obama did not say how the U.S. might respond.

“We aren’t going to discuss, you know, publicly operational details about the possible response options or comment on those kind of reports in anyway except to say that as we implement our responses, some will be seen, some may not be seen,” State Department spokeswoman Marie Harf said last week.

That FBI revealed the malware used Microsoft Windows components to propagate, shut down network services and get instructions from its controllers. This means that enterprises that use Windows and Microsoft server software are vulnerable to attack, especially those not using the latest versions of the software.

A Computer Weekly source said he felt it was important that the FBI and President Obama was getting involved in a cyber attack.

“I think security is the big topic,” he said. “Imagine life if the bad guys hacked and damaged air traffic control, railways, traffic lights, power grid, gas distribution, logistics systems, food distribution, power stations and so on. Not a nice thought.”

But there is no evidence as yet to suggest that North Korea had anything to do with the attack against South Korea’s nuclear power.

An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. While none of the victim institutions were in the United States or Western Europe, experts say the stealthy methods used by the attackers in these heists would likely work across a broad range of western banks.

Most cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards. But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.

A number of the gang’s members are believed to be tied to a group of Eastern European hackers accused of stealing more than USD $2 million from Russian banks using a powerful, custom-made banking trojan known as Carberp. Eight men in Moscow were arrested in 2012 and accused of building and using Carberp, but sources say the core members of the gang were out of jail within hours after their arrest and have been busy rebuilding their crime machine ever since.

According to report released today by Fox-IT and Group-IB, security firms based in The Netherlands and Russia, respectively, the Carberp guys have since changed their tactics: Instead of stealing from thousands of bank account holders, this gang has decided to focus on siphoning funds right out of banks’ coffers. So far, the security firms report, the gang has stolen more than $15 million from Eastern European banks.

To gain a foothold inside financial institutions, this crime group — dubbed the “Anunak group” — sent bank employees targeted, malware-laced emails made to look like the missives were sent by Russian banking regulators. The phishing emails contained malicious software designed to exploit recently-patched security holes in Microsoft Office products.

Incredibly, the group also reportedly bought access to Windows PCs at targeted banks that were already compromised by opportunistic malware spread by other cyber criminals. Indeed, Fox-IT and Group-IB report that the Anunak gang routinely purchased installations of their banking malware from other cybercriminals who operated massive botnets (collections of hacked PCs).

Once inside a financial institution, the criminals typically abused that access to launch even more convincing spear-phishing attacks against other banks. They also gained access to isolated bank network segments that handled ATM transactions, downloading malicious programs made to work specifically with Wincor ATMs. The hackers used that malware — along with a modified legitimate program for managing ATM cash trays — to change the denomination settings for bank notes in 52 different ATMs.

As a result, they were able to make it so that when co-conspirators went to affected ATMs to withdraw 10 bills totaling 100 Russian rubles, they were instead issued 10 bank notes with the denomination of 5,000 rubles, the report notes.

The Anunak gang reportedly modified this legitimate program for managing bill denominations in ATMs.

It was bad enough that this group is believed to have hacked into more than 50 Russian banks, but nasty messages encoded into the malware tools employed by the thieves suggest they hold utter contempt for their targets. One malware component the group used to infect targeted systems carried inside of itself the text string “LOL BANK FUCKIUNG”. Another strain of malware deployed by this group’s targeted email campaigns and used to build their own botnet of more than a quarter-million PCs was encrypted with a key that is the MD5 hash of the string “go fuck yourself.”

While they appear to have developed a penchant for stealing directly from banks, these crooks aren’t above going after easy money: Sources tell KrebsOnSecurity that this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.

A separate source previously told this author that there was a connection between the point-of-sale malware used in the breach at Michaels and the Staples incident, which means this group may also have been involved in the Michaels breach. In any case, Group-IB and Fox-IT note that the Anunak gang has hit a total of 16 retailers so far.

The attacks from Anunak showcase once again how important it is for organizations to refocus more resources away from preventing intrusions toward detecting intrusions as quickly as possible and stopping the bleeding. According to the report, the average time from the moment this group breaks into bank internal networks and the successful theft of cash is a whopping 42 days.

The affected software is the embedded web server RomPager from AllegroSoft, which is typically embedded in the firmware released with router and gateway devices.

Check Point Software Technologies has estimated there are approximately 12 million readily exploitable unique devices connected to the internet present in 189 countries across the globe, making this one of the most widespread vulnerabilities revealed in recent years. Research suggests the true number of affected devices may be even greater.

This latest vulnerability affects embedded software in the router’s firmware.

According to Check Point, a vulnerable internet gateway device would affect any device connected to the user’s network, including computers, phones, tablets, printers, security cameras and other devices.

“Misfortune Cookie is a serious vulnerability present in millions of homes and small businesses around the world and, if left undetected and unguarded, could allow hackers to not only steal personal data, but control peoples’ homes,” said Check Point Software Technologies malware and vulnerability research manager Shahar Tal.

Attackers can use vulnerability to steal data

Check Point said an attacker exploiting the Misfortune Cookie vulnerability would be able to monitor the user’s internet connection, steal credentials and personal or business data, or attempt to infect other machines on the network with malware.

According to Check Point, at least 200 models of devices from various manufacturers and brands currently expose a vulnerable service on the public internet address space. The majority of these devices are residential gateways. The list includes models by D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL, among others.

Check Point said: “We suspect the source for inclusion of the vulnerable piece of software is a common chipset software development kit (distributed to the different manufacturers), however this cannot be confirmed at this point.”

Check Point has recommended consumers and small businesses install an additional firewall, such as ZoneAlarm. Advanced users and IT administrators should check if their router manufacturer has issued a firmware update.

Have you somehow still not gotten a chance to try Inbox, despite Google opening up the service to anyone who asked on multiple occasions?

It’s okay. I understand. You can’t be sitting on Twitter looking for these sorts of things to pop up all the time. You have stuff to do. Important things, like “Work”, or “Feeding the dog”, or “literally anything that isn’t staring at a computer monitor all day.”

Whatever the case: Google is loosening reins a bit again today. Alas, it’s not the free-for-all chaos that they’ve unleashed a few times with their “You get an invite! You get an invite! You get an invite!” style happy hours, but it’s still pretty easy: just ask anyone who has Inbox for an invite.

While Google has given users a slow trickle of friend-to-friend invites since launch, they just dumped a 10-pack of invites onto the laps of anyone and everyone who has already made their way past the front door.

If you’ve got a friend on Inbox who has told you they were out of invites, get to pestering — they’ve got more now.

The recent attack on Sony Pictures Entertainment is about as scary as it gets as emails which insulted the company’s hired talent or actors has been released. In just one incident a director called Angelina Jolie a spoiled, untalented, egomaniacal Brat. Then there were racially charged comments about President Obama. A leak of tens of thousands of salaries and social security numbers. The leak of contractor salaries, movies and discussions regarding costs related to movies. And we are just getting started… Expect more. Recently I saw an analyst say the leak is worth $100 million to Sony but I surmised the number is north of one billion thanks to reputational damage – salary leakage which gives competitors an advantage and of course we expect future partners and even employees to be critical of the company when doing business.

What is most interesting about the situation however is the attack was estimated to be sophisticated enough to get past 90% of firms! Moreover, it was so pervasive, it’s still flashing demands on the computers of Sony employees from Guardians of Peace or #GOP – the hacking group! And it’s not just bad for Sony. Maureen Dowd of the New York Times took a major credibility hit as it was revealed she offered to show her story to Sony Pictures co-chair, Bernard Weinraub before it was published. If that wasn’t enough, the medical records of many Sony employees and family members were also released.

News today tells of Sony launching a denial of server attack to make it difficult for sites hosting the information to disseminate it. AWS was supposed to be the vehicle being used according to Re/Code. Amazon is denying its servers are being used for such a purpose. The reality may be somewhere in-between as a company called MediaDefender or a similar concern is likely being used to seed torrent networks with false seeds of file names similar to those being shared on such networks. The goal is to have fake seeds chew up processing power on computers and yield nothing for the user.

We can expect an escalation in the war between hackers and companies looking to block stolen information. But then again, as some have accurately surmised, Sony may bear some responsibility here as placing thousands of passwords in a file named Password may not have been the smartest thing in the world.

Sony Pictures is close to monopolizing security news with post-cyber-attack ripples.

Those ripples now include getting sued by ex-employees over privacy violations, being threatened with a terrorist attack similar to 9/11, having its film The Interview pulled from several cinemas as a result, and the subsequent announcement that Sony has cancelled the theatrical release altogether.

On the breathe-one-small-sigh-of-relief side of the ledger, it’s received compliance with a DCMA takedown request from Reddit, which has banned users from sharing documents pilfered from the movie studio.

On Tuesday, those purportedly behind the hack threatened a terrorist attack on theaters and movie goers who attend screenings of The Interview.

The GOP had previously promised to deliver a “Christmas gift,” which originally sounded like another batch of leaked data.

But in Tuesday’s message, which Mashable reports was sent to itself and several other news outlets, along with new batch of Sony Entertainment CEO Michael Lynton’s hacked emails, warned people to stay away from the movie, specifically mentioning the 2001 attacks on New York and the Pentagon:

We will clearly show it to you at the very time and places “The Interview” be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to.

Soon all the world will see what an awful movie Sony Pictures Entertainment has made.

The world will be full of fear.

Remember the 11th of September 2001.

We recommend you to keep yourself distant from the places at that time.

(If your house is nearby, you’d better leave.)

A Department of Homeland Security (DHS) official who requested anonymity told Fortune that the DHS isn’t aware of any active plot against movie theaters in connection with the attack against Sony.

From his or her statement:

We are still analyzing the credibility of these statements, but at this time there is no credible intelligence to indicate an active plot against movie theaters within the United States. … As always, DHS will continue to adjust our security posture, as appropriate, to protect the American people.

At least one New York theater canceled the premiere of the film, which is a Seth Rogen/James Franco comedy about a plot to kill North Korea’s leader Kim Jong-Un.

Carmike Cinemas, a move theater chain that’s based in Columbus, Georgia, and which has theaters in 41 states, also chose not to show The Interview, according to The Hollywood Reporter.

In addition, the two stars canceled all of their upcoming press events, according to BuzzFeed, which was hosting an event with the two.

Sony announced yesterday that it wouldn’t be releasing The Interview on Christmas Day as planned:

In light of the decision by the majority of our exhibitors not to show the film The Interview, we have decided not to move forward with the planned December 25 theatrical release. We respect and understand our partners’ decision and, of course, completely share their paramount interest in the safety of employees and theater-goers.

Sony Pictures has been the victim of an unprecedented criminal assault against our employees, our customers, and our business. Those who attacked us stole our intellectual property, private emails, and sensitive and proprietary material, and sought to destroy our spirit and our morale — all apparently to thwart the release of a movie they did not like. We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public. We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.

In other fallout, two of the movie studio’s ex-employees have sued the company for failing to protect their private information.

They’d like to turn it into a class action lawsuit of up to 15,000 former employees.

The plaintiffs haven’t been specific about the amount of money they’re seeking, but according to Money CNN, they want Sony to provide five years of credit monitoring, bank monitoring, identity theft insurance and credit restoration service. They’re also seeking for Sony to be subject to regular privacy audits.

Finally, a ray of hope that somebody on the internet is going to take down Sony’s doxed materials.

As it is, Sony on Monday warned the media not to publish the details of anything that was stolen in last month’s breach.

By Wednesday, Reddit had acceded to a DMCA takedown request from Sony.

Over 100,000 WordPress sites have been infected by vulnerable third-party plug-in that many may not even realize they are running, and that number is growing.

The popular open-source WordPress blogging and content management system (CMS) is at risk from a vulnerable third-party plug-in that many users may not even realize they are running. According to security firm Sucuri, the vulnerability may have already exposed more than 100,000 WordPress Websites to exploitation via malware known as SoakSoak.

The actual vulnerability is in the RevSlider third-party plug-in, which is often bundled by WordPress theme developers in themes that WordPress site administrators can choose to install.

Sucuri first warned of vulnerabilities in the RevSlider plug-in in September, and an updated version of the plug-in has been available for months. It wasn’t until Dec. 14 that a large-scale attack that abuses the RevSlider vulnerabilities emerged. The attack leverages the RevSlider vulnerabilities to connect with the SoakSoak.ru domain to load a JavaScript malware.

“This plug-in [RevSlider] has multiple vulnerabilities, and one of them allows anyone to upload a theme to the vulnerable site,” Daniel Cid, co-founder and CTO of Sucuri, explained. “Attackers are leveraging it to upload a backdoor that gives them control of the Website.”

Cid added that the vulnerability is not really an application permission issue, but rather it is more of an issue about a lack of access control on the upload functions.

While some malware spreads with worm functionality that self-replicates, that’s not the case with the SoakSoak malware infection.

“It is spreading so quickly because this plug-in is integrated by many themes and most Webmasters are not even aware they have this plug-in in their sites,” Cid said. “We are not seeing a worm out of it, just a massive scanning looking for vulnerable hosts.”

What Should Be Done

The simple truth of the matter is that there are WordPress sites that are running out-of-date third-party plug-ins.

“The main issue is the lack of awareness from Webmasters that have been using an unpatched plug-in for months,” Cid said. “If they had updated or taken the proper security steps, like installing a Website firewall or hardened their sites, they would have been safe.”

The issue of out-of-date third-party plug-ins representing a risk to WordPress sites is not a new one. In July, Sucuri warned of potential malware infections that leveraged an out-of-date MailPoet plug-in for WordPress.

The open-source WordPress project has provided automatic updates for security fixes in the core WordPress application since the 3.7 version in October 2013. The automatic updates do not currently include automatically updating all of a user’s plug-ins.

Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, noted that those who are in charge of checking the security of WordPress already warn users about out-of-date plug-ins. The latest WordPress releases provide users with a list of plug-ins that need to be updated on users’ WordPress dashboard. Hansen added that it would be a good idea if WordPress gave users the option to automatically disable plug-ins that are known to be vulnerable, without risking the user’s sites.

“Given that plug-ins are the most vulnerable part of the ecosystem, it would be prudent to treat them as unknown and potentially dangerous software that can and should be disabled if the administrators are paranoid,” Hanson stated.

The idea of fully automated security updates is not one that sits well with Amichai Shulman, CTO of Imperva.

“Most organizations would not allow any functional change to go live untested in a lab, and without a proper change management process,” Shulman stated. “Why would someone give this up for a security fix?”

Shulman sees the deployment of Web Application Firewall (WAF) rules as being a key mechanism to minimize security risk. Some WAFs provide out-of-the-box protection against the specific type of vulnerability that led to the SoakSoak infection, which is an arbitrary file access through directory traversal issue, he added.

“As previous grid failures, including the multiday Northeast blackout of 2003, have shown, any event that causes prolonged power outages over a large area would not only be extremely costly, it would wreak havoc on millions of people’s daily lives and could profoundly disrupt the delivery of essential services, including communications, food, water, health care and emergency response,” explained a report from the Bipartisan Policy Center’s (BPC) Electric Grid Cybersecurity Initiative, which was launched as a collaboration of BPC’s Energy and Homeland Security Projects in May 2013. Its goal is to develop policies – aimed at government agencies as well as private companies – for protecting the North American electric grid from cyber-attacks.

“Moreover, cyber threats, unlike traditional threats to electric grid reliability such as extreme weather, are less predictable in their timing and more difficult to anticipate and address,” it added. “A cyber-attack could come from many sources and—given the size and complexity of the North American electric grid—could target many potential vulnerabilities. For this reason, experts agree that the risk of a successful attack is significant, and that the system and its operators must be prepared to contain and minimize the consequences.”

To put the scope of the issue into perspective, the Industrial Control Systems Cyber Emergency Response Team (ICSCERT) reported responding to 198 cyber incidents in fiscal year 2012 across all critical infrastructure sectors. A full 41% of these incidents involved the energy sector, particularly electricity.

Current efforts to provide for electric grid cybersecurity are dispersed and involve numerous federal, state and local agencies, BPC noted. These include mandatory federal standards that apply to the bulk power system and nuclear power plants, and mechanisms to facilitate relevant information-sharing between the public and private sectors, and within the power sector itself.

“But given the complexity, fast-changing nature, and magnitude of potential cyber threats, it is also clear that more must be done to improve grid cybersecurity,” BPC said.

Urgent priorities include strengthening existing protections, for the distribution system as well as the bulk power system; enhancing coordination at all levels; and accelerating the development of robust protocols for response and recovery in the event of a successful attack.

One key policy challenge is that current “economic and institutional factors” are keeping power sector investments in cybersecurity – including investments in research and development – below where they should be.

“First, given the interconnected nature of the grid, the benefits of these investments are likely to extend beyond the footprint of an individual company,” BPC said. “Because the company making the investment is unlikely to be able to capture these spillover benefits, many companies may limit their investments to a level that is suboptimal from the perspective of the grid as a whole. Second, since the risks and consequences of a cyber-attack are difficult to estimate and quantify, individual companies may have a difficult time determining which investments to make beyond the minimum required for compliance with mandatory standards.”

While there’s no magic bullet given the nature of the evolving threat and barriers to sufficient investment, BPC is advocating a couple of new approaches. One is the establishment of an industry-wide organization, modeled on the Institute for Nuclear Power Operations (INPO), to advance cybersecurity practices across the industry.

“We expect that such an organization—coupled with appropriate incentives for participation such as insurance policies and liability protection—could do much to improve cybersecurity across the industry.”

Other approaches that it recommends rely on public-private partnerships that would mobilize the respective assets and expertise of industry and government agencies, and improve the flow of information between government and industry and across different companies. This echoes the federally developed Cybersecurity Framework recently released by the National Institute of Standards and Technology (NIST).

There is always work to do, and BPC laid out a roadmap for its efforts going forward. “In the coming months, BPC staff and Initiative co-chairs will reach out to policymakers and stakeholders to advance these and other recommendations,” said the group. “At the same time, BPC will work to address challenges that would remain even if all the recommendations in this report were adopted. For example, because privacy concerns continue to present a stumbling block for efforts to enhance information sharing between industry and government, additional ideas and compromises will be needed to break the current legislative logjam in this area.”

In what some security experts are calling a “game changer,” a Minnesota federal court held Target liable earlier this month for data breach losses because the company had ignored its own security alerts.

Target is based in Minnesota, but the Minnesota Plastic Card Security Act, which specifically allows banks that issue payment cards to sue breaching merchants, also covers any company that does business in that state, according to Karl Belgum, an attorney with Nixon Peabody LLP.

The decision does not involve a financial penalty against Target, but it does allow the case to move forward to the next step.

Now, financial institutions that say they have spent billions of dollars issuing replacement cards can now proceed with a negligence class action lawsuit against Target.

“Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Judge Paul Magnuson said in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”

The judge also agreed with the banks’ argument that Target failed “to heed the warning signs as the hackers’ attack began.”

Too many alerts, too little time

The problem, according to Brian Foster, CTO at Atlanta-based security firm Damballa, Inc., is that companies can’t possibly respond to every single security alert they get.

In Target’s case, for example, the company failed to heed warnings from its FireEye prevntion system and for disabling the automatic blocking feature.

But how many companies would immediately disconnect devices from their network based on an alert? he asked.

“Most are false positives,” Foster said.

For example, a piece of malware might cross a company’s network on its way to an endpoint device but never get installed because the user rejects it, antivirus catches it, it’s sandboxed, or its designed for a different operating system or environment.

According to a Ponemon survey to be released next month, enterprises that have between 10,000 and 15,000 employees see an average of 17,000 security alerts a week. Target has over 300,000 employes.

According to the Ponemon study, only 19 percent of the incoming alerts are reliable.

In another survey, Damballa found that the average number of actual, successful daily infections was 97.

Foster recommends that companies look at the security tools they are using and if they generate too many unactionable alerts, that they either staff up, or look for new tools.

“They’re going to have to hire an army of humans to look at all the alerts, and not let any slip through,” he said. “And that’s not really sustainable. For one thing, the number of humans trained in this space is already in high demand.”

Beyond alerts

Judge Magnuson dismissed Target’s arguments that it should only be liable for Minnesota transactions, and that the company shouldn’t be liable for data stolen from point of sale terminals instead of from its databases.

Target did store some data in violation of the state law, specifically the CVV codes for the payment cards, which made the breach more serious, Magnuson said.

The decision as a whole is an important one for the retail industry, said Amy Mushahwar, counsel and Chief Information Security Officer at Washington, D.C.-based ZwillGen PLLC.

“This is a ruling that we’re all going to be living with for a very long time.”

The case builds on the existing agreements between merchants and payment card processors, she added.

“When you get a merchant account, you agree to be responsible for any fraudulent charges that result from you not being PCI DSS compliant,” she said, referring to the Payment Card Industry’s Data Security Standard.

This ruling just solidifies the premise that’s already been established, she said.

“Realistically, though, what is most concerning about the target breach, is that the breach happened via an HVAC vendor,” she said. “This was not a segment of Target’s network that it viewed as being a part of the payment card network.”

Turning off alerts altogether isn’t an option, she added, since companies must have the ability to respond to incidents. But as companies move to technology that prioritizes some alerts over others, they need to be careful about potentially giving up control.

“There are new systems where much of the tuning of the alerting functions and capability happens at the device level and program level, so that companies are getting less visibility in their alerting functionality,” she said. “So this problem will become even more difficult.”

Magnuson’s ruling could have been even worse for retailers if he had sided with the banks on the definition of the word “retain.” Although Target did not save credit card numbers, the hackers themselves temporarily stored the numbers on Target’s servers so that Target was, technically, in possession of those numbers. The ruling sidestepped the question of whether Target was liable for this, leaving this issue still up in the air.